CVE-2026-3655
Description
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwp_ajax_register AJAX handler not binding the Firebase session to the phone number supplied in the request. The idehweb_lwp_activate_through_firebase() function validates that a Firebase OTP session is legitimate, but the phoneNumber returned by Firebase is never compared against the victim's stored phone number. This makes it possible for unauthenticated attackers to authenticate as any user who has a phone number stored in user meta, including administrators, by verifying their own Firebase session and supplying the victim's phone number in the same request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authentication bypass in WordPress phone number login plugin allows unauthenticated attackers to log in as any user, including admins.
Vulnerability
The OTP Login With Phone Number plugin for WordPress versions 1.8.50 to 1.8.60 contains an authentication bypass vulnerability in the lwp_ajax_register AJAX handler. The function idehweb_lwp_activate_through_firebase() validates a Firebase OTP session, but the phoneNumber returned by Firebase is never compared with the victim's stored phone number. This allows an attacker to supply any user's phone number in the request while using their own Firebase OTP session, bypassing authentication [1][3].
Exploitation
An unauthenticated attacker can exploit this by first completing a legitimate Firebase OTP verification with their own phone number, obtaining a valid Firebase session. Then, in a request to lwp_ajax_register, they supply the victim's phone number (e.g., an administrator's) along with their own Firebase session token. The plugin does not cross-check that the Firebase session's phone number matches the supplied phone number, causing the victim's account to be authenticated [2][4].
Impact
Successful exploitation allows an attacker to authenticate as any WordPress user who has a phone number stored in user meta, including administrators. This grants attacker full access to the compromised account, potentially leading to complete site takeover, data disclosure, and further compromise.
Mitigation
As of the publication date, no patch has been released. Affected users should disable the plugin or remove the vulnerable code until a fix is available. No workaround is provided. The plugin is not listed in the CISA KEV.
- https://plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/inc/ajax-handlers.php#L649
- https://plugins.trac.wordpress.org/changeset/3479314/login-with-phone-number/trunk/inc/ajax-handlers.php?old=3455810&old_path=login-with-phone-number%2Ftrunk%2Finc%2Fajax-handlers.php
- https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.60/inc/ajax-handlers.php#L1167
- https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.60/inc/ajax-handlers.php#L649
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2>=1.8.50,<=1.8.60+ 1 more
- (no CPE)range: >=1.8.50,<=1.8.60
- (no CPE)range: >=1.8.50, <=1.8.60
Patches
1r3479314Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.60/inc/ajax-handlers.phpnvd
- plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.60/inc/ajax-handlers.phpnvd
- plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.60/inc/ajax-handlers.phpnvd
- plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/inc/ajax-handlers.phpnvd
- plugins.trac.wordpress.org/changeset/3479314/login-with-phone-number/trunk/inc/ajax-handlers.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/7fc410f2-5f2b-4eea-a0fb-fe58f988f95fnvd
News mentions
0No linked articles in our index yet.